The description of this plugin explains that this plugin protects against website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. Someone to successfully injects base64 codes into my website. Can you explain how does that happen of this plugin really protects against base64 injection?

The only way that would possible is if your site was already hacked. Usually Code Injection is done after a hacker already controls your site. Code Injection is done with Shell Scripts or other custom hacker scripts.

Here is a typical example:
A hacker cracks your WordPress password or your FTP password. They then upload several payload scripts. Typically a Shell hacker script and several hidden backdoor hacker scripts in case you find the Shell script. Once the Shell script is uploaded the hacker then uses that Shell script to inject code into your files.

In summary Code Injection is usually done after your website has already been successfully hacked.

Also the code could have been added another way. Through an exploit or vulnerability in some code you have on your site either in a plugin, theme or custom script. The hacker could simply exploit that coding flaw and use it to add his code, which would technically not be code injection, but simply an exploitation of a flawed code on your website.

BPS is designed to protect against a direct attack, but if you have some coding on your website that allows something that it should not be allowing then this is called an exploit or vulnerability. The hack is done by exploiting the existing flawed code. This would not be a direct attack so there would be nothing indicating a hack was taking place therefore nothing to trigger BPS to block it.

BPS has blocked over 800,000+ hacking attempts on the AITpro websites in the last 3 years so BPS seems to be working pretty well. ;)

Thank you for your explanations. I do understand now. And why your plugin doesnt provide .htaccess protection on wp-contents? I have found so many plugins code modified. I think you should consider putting this in your plugin

Yes, you can of course add your own .htaccess file to the wp-content folder. The tricky part is making sure that all of your plugins and other things in the wp-content folder still work correctly. In order to do this correctly without interfering with other things we had to create several whitelisting tools and automate the Plugin Firewall IP Address updating so that it automatically adds your new IP Address each time it changes. You can of course just do this manually.